The invention relates to the field of storage area networking, with emphasis on Fibre Channel networks. In particular the invention relates to spoofing and replay attack-resistant, zoned, Fibre Channel networks.
Most modern computer networks, including switched Fibre Channel networks, are packet oriented. In these networks, data transmitted between machines is divided into chunks of size no greater than a predetermined maximum. Each chunk is packaged with a header and a trailer into a packet for transmission. In Fibre Channel networks, packets are known as Frames. Fibre Channel frames may encapsulate a block-oriented protocol operating at a higher level.
A Fibre Channel network having at least one switch is a switched Fibre Channel fabric. A Fibre Channel switch is a routing device generally capable of receiving frames, storing them, decoding destination information from headers, and forwarding them to their destination or another switch further along a path toward their destination. A network interface for connection of a machine to a Fibre Channel fabric is known as an N-port, and a machine attached to a Fibre Channel network is known as a node. Nodes may be computers, or may be storage devices such as RAID systems. An NL-Port is an N-port that supports additional arbitration required so that it may be connected either to a Fibre Channel Fabric or to a Fibre Channel Arbitrated Loop.
Fibre Channel switched-fabric networks are often used to implement storage area networks. Storage Area Networks (SANs) are characterized as high-speed networks primarily conveying data between storage nodes and compute nodes, often utilizing separate network hardware from that used for general-purpose network functions.
Fibre Channel SAN traffic may include traffic utilizing the SCSI peripheral interconnection protocol encapsulated within Fibre Channel frames. SCSI over Fibre Channel typically requires that frames be delivered in-order and without duplication.
Compute nodes of storage area networks typically run an operating system that assumes that some or all storage is local to the compute node, or at least is private to that node. This storage is assumed to be xe2x80x9cownedxe2x80x9d by that node. Should that storage be accessed from another node, unpredictable results may occur.
It is sometimes desirable to configure a Fibre Channel SAN such that ports are grouped into zones, which may or may not overlap. A zoned configuration may restrict access to a particular storage node to only a subset of the compute nodes of the SAN. Similarly, a zoned configuration may restrict traffic to a particular compute node to that from specific storage nodes. These restrictions may be of use in enforcing security policies, and controlling ownership of storage resources.
Some extant Fibre Channel zoning systems, including some available from Brocade Communications Systems, implement zoning at the switch level. In these implementations, frame headers are decoded by each switch. A source and a destination identifier in the frame header are used to determine whether the frame will be forwarded to its intended destination. Frames having source and destination identifiers outside any permitted zone are dropped, thereby restricting traffic to within authorized zones.
It is known that message authentication on general purpose networks may be done by computing an authentication code based upon the message data and a key value known to both the machine originating and the machine receiving the message. This method may, however, be fooled by duplicated and retransmitted messages.
Tunneling is a technology whereby frames of transactions between a first node of a first network and a first node of a second network are encapsulated, often encrypted, and transmitted over a third network linking the first two networks. The encryption, encapsulation, and de-encapsulation are often performed by a second node of the first network and a second node of the second network.
A recent trend in networked systems is to store some or all data used by a first party""s system on a machine that may be owned by a different party. With Compaq""s Private Storage Utility, data belonging to a customer may reside on a storage system owned, operated, and maintained by a hosting company such as Compaq. Such a storage system may be a Fibre Channel node.
When a hosting company owns and operates a storage system to store customer""s data, it may be desirable to manage the storage system from a remote location. This is remote storage system management.
Remote storage system management may be accomplished through tunneling. This provides advantage in that many management functions may be achieved without travel expense.
Spoofing is the accidental or intentional injection of false messages into a system or network. These false messages have the potential to cause disruption of operation or corruption of data with potentially serious consequences.
False messages can be injected into a network by accidental corruption of valid messages. For example, diagnostic software may capture valid frames. Entire, albeit shorter than maximum length, captured frames may then be encapsulated in larger frames transmitted over the network for storage or analysis. Should the header of the larger frame be dropped, the encapsulated short frame may be misinterpreted as a valid frame and trigger unintended operation. Similarly, corruption of a destination address in a frame may cause that frame to be routed to an incorrect destination, where misdelivered frames can cause unwanted effects. Similarly, it is possible for a malfunctioning fabric (or a malicious intruder) to cause one or more frames to be replayed, or delivered more than once, the second delivery potentially causing undesired effects.
Spoofing may involve intentional injection of false messages. Frames may be injected that command reformatting, deletion, or changes to drives or partitions, alterations to network parameters including zoning, changes to passwords or security settings, and so on. These injected frames may be followed by other attacks aimed at reading data, including data for which the false frames may have altered security settings.
In the Fibre Channel context, it is conceivable that a malicious, faulty, or improperly configured, node may generate one or more frames having source identifier (S_ID) fields that do not accurately reflect the identity of the node. Since many zoned Fibre Channel fabrics deliver frames based exclusively on the source identifier (S_ID) and destination identifier (D_ID) fields of the frame, it is possible for malicious nodes to send spoof frames to other nodes of the network. With switch-based zoning, this possibility exists even if the malicious nodes are not part of the same zone as the recipient nodes.
It is desirable to prevent spoofing in a zoned storage area network. It is desirable that spoofing be prevented in such a way that undesirable activity caused by duplicate frames is prevented.
Further, consider remote system management. It is desirable that the possibility of spoofing be eliminated in a way that prevents damage due to spoof frames originating in networks that tunnel to the zoned storage area network.
A Fibre Channel storage area network utilizes frames having time-of-transmission and authentication-code fields. These fields are in addition to the normal fields of Fibre Channel frame headers, and may be implemented as a higher-level protocol encapsulated in the data portion of each frame or may be embedded in an enhanced frame header. The time-of-transmission field is derived from a real-time clock on each node. The real-time clock is incremented quickly enough that no two frames transmitted within a reasonable time of each other will have the same time-of-transmission field contents.
Each node of a zone participating in an exchange is assigned a key value, which may be unique to the exchange and is known to both the originating and receiving nodes of the exchange. This key value is used, along with the contents of the time-of-transmission field and other fields of the frame, to compute an authentication code that is transmitted in the authentication-code field of the transmitted frame. In a particular embodiment, the authentication code is computed using the MD2 hashing algorithm.
Key values are maintained in a table on each node of the storage area network. This table preferably contains unique key values for each node pair of the SAN between which communications are permitted, although a unique key value shared by a group of machines is operable.
Each node that receives the transmitted frame recomputes the authentication code based upon a key selected from the table according to the S_ID of the frame header. The recomputed authentication code is compared to that in the frame, those frames having mismatched authentication codes are dropped.
Similarly, frames having time-of-transmission fields indicating that they were not received within a reasonable time, or which duplicate recently received time-of-transmission fields, are also dropped. Consideration of the time-of-transmission prevents duplicate frames from causing problems.
This solution is believed capable of providing a degree of resistance to spoofing attacks launched over tunneling connections to the storage area network as well as those originating on the storage area network.
The foregoing and other features, utilities and advantages of the invention will be apparent from the following more particular description of a preferred embodiment of the invention as illustrated in the accompanying drawings.